There is a version of product thinking that assumes users stay with a platform because they love it. That version is wrong, at least in security.
Security operators do not leave their incumbent tools because migration is expensive, organizational inertia is powerful, and the pain of switching exceeds the pain of staying. Alert fatigue gets normalized. Detection tuning gets deferred. Fidelity slowly degrades. Real threats get lost in noise. And yet: no one leaves.
This creates a specific kind of trap for anyone building in this space. The bar for adoption is not “better than the competition.” The bar is “different enough that the switching cost is worth paying.” Those are very different problems.
The implication for product: you are not competing against other tools. You are competing against tolerance. Against the deeply human capacity to adapt to a broken workflow and stop noticing it is broken.
The way out is not feature parity. It is finding the thing the incumbent cannot do structurally, not just functionally. The thing that is impossible given how they are architected, not just something they have not gotten around to building.
For most security platforms, that structural constraint is timing. They are architected around log ingestion and post-hoc analysis. They see what happened after it happened. The gap between when a threat completes and when an analyst understands it is where the interesting work lives, and most tools are not positioned to close it.
That gap is where the real product opportunity sits. Not in building a better version of what already exists, but in doing something the incumbent structurally cannot do from where they are standing.